Nmap Scripting Engine (NSE)
Runs Lua scripts for vuln detection, brute force, malware discovery, and automation.
-sV
Service discovery scan to identify applications and versions on open ports.
-O
OS fingerprinting using TCP/IP stack behavior.
-A
Aggressive mode. Runs OS detection, version detection, NSE scripts, and traceroute.
-sS vs -sT
SYN scan is stealthier (half-open). TCP connect scan is noisier but works without root/admin.
-sN / -sF / -sX
Null, FIN, and Xmas scans send unusual flag combos to infer port states.
Idle Scan (-sI)
Uses a third-party ‘zombie’ host for stealth scanning, hiding attacker’s IP.
-PE / -PS / -PA / -PU / -PR
Different host discovery methods: ICMP, TCP SYN, TCP ACK, UDP, and ARP.
-Pn
Treat all hosts as up. Skips host discovery stage; used when ICMP is blocked.
-p
Port specification: choose individual ports or ranges, e.g., -p 80,443 or -p 1-1000.
–top-ports <n></n>
Scans the most commonly used <n> ports instead of all 65,535.</n>
–exclude <targets></targets>
Excludes specific hosts/subnets from the scan.
-T0–T5
Timing templates: 0=paranoid (slow, stealth), 5=insane (fast, noisy).
-f / –mtu
Fragment packets to evade detection by firewalls/IDS.
-oN / -oX / -oG / -oA
Output formats: normal, XML, grepable, or all three at once.
Scenario: Scan only the top 100 ports
Use –top-ports 100.
Scenario: Evade IDS by slowing probes
Use –scan-delay or -T0/-T1.
Scenario: Need scan results for a report and XML parser
Use -oA results (creates .nmap, .xml, .gnmap).
Scenario: ICMP blocked but need discovery
Use -PS (TCP SYN) or -PA (TCP ACK).
Scenario: Local network host discovery
Use ARP scan (-PR).
